-
Privacy Notice for EY Student Applicants
Last updated: 19/09/2023
1. Introduction
We are Ernst & Young LLP (“EY”) (“we” or “us”) and are registered in England and Wales under registration number OC300001. Our registered office is at 1 More London Place, London, SE1 2AF.
This notice explains how we will handle any personal data that you provide, or we otherwise obtain in connection with your application for a job with us.
For the purposes of data protection law, we are the ‘controller’ of this personal data.
2. How and why we use your personal data
In this section we have set out:
- the general categories of personal data that we will process in connection with your application;
- the purposes for which we may process that personal data; and
- the legal basis for that processing.
We mainly rely on two legal bases for processing your personal data:
- our legitimate interests, as data controller in some circumstances (more information round those circumstances can be found below).
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Personal data collected
Reason for processing
Lawful basis for the processing
Basis for processing special categories of personal data or data relating to criminal convictions and offences
Registration data: username, email address, and password
Creating a user account for you, enabling you to access your account once created, keeping your account secure and communicating with you in connection with your application
Performance of a contract - enabling applicants to submit, and us to receive and consider, applications for jobs with us
EY’s legitimate interest in processing and managing applications for roles at EY, including the screening and selection of candidates
N/A
Required verification data: Passport number, passport expiry date, university student ID number, and university or school admissions team contact names
This information is required to verify your identity at point of offer to avoid against false or suspicious applications
EY’s legitimate interest in avoiding false, suspicious, or fraudulent activity within student applications to EY.
Username, email address, and Application data
Contacting you about subsequent job opportunities with us in the event that your application for this recruitment round is unsuccessful
EY’s legitimate interest in processing and managing applications for roles at EY, including the screening and selection of candidates
If you do not want us to use your username, email address, and Application Data in this way, you can request we stop at any time by sending us an email
N/A
Application data: contact details, educational and employment history, information about your skills, qualifications and experience and any other information we ask you to provide and/or which you choose to provide in your answers
For the purposes of considering your application for a job with us and communicating with you in connection with your application
Performance of a contract - assessing the suitability of applicants for jobs with us
EY’s legitimate interest in processing and managing applications for roles at EY, including the screening and selection of candidates
N/A
Equal opportunities data: Age, Gender, Race or ethnic origin, Religion or belief, Disability and Sexual Orientation
The processing of Age is mandatory. The remaining information is optional
We may process equal opportunities data for the purposes of monitoring and promoting equal opportunities within our organisation, complying with our obligations under laws relating to equal opportunities in employment
EY’s legitimate interest in human resource administration and finance
Compliance with a legal obligation
Equal opportunities data (eg, information relating to race or ethnicity, religion, health, and sexual orientation): processing is necessary in the field of employment, social security and social protection law; processing is necessary for reasons of substantial public interest and the relevant substantial public condition under the Data Protection Act 2018 is monitoring equality of opportunity and treatment
Criminal convictions data: information relating to unspent criminal convictions or offences
We may process criminal convictions data for the purposes of considering your suitability for the job that you are applying for
Compliance with a legal obligation (basic criminal record checks are regulatory requirements for most roles)
EY’s legitimate interest in hiring, promoting or assigning people to engagements that are trustworthy and suited for the role
To the extent criminal data is processed: processing is necessary in the field of employment law; processing is necessary for the purposes of preventing fraud and regulatory requirements relating to, amongst other things, unlawful acts and dishonesty
Reasonable adjustments data: information related to whether you require any reasonable adjustments
We will not ask you for details of any relevant disability or health condition, but you may tell us if you consider that it is necessary for us to know this information
Performance of a contract - assessing the suitability of applicants for jobs with us
Compliance with a legal obligation
Equal opportunities data (information relating to health): processing is necessary in the field of employment, social security and social protection law; processing is necessary for reasons of substantial public interest and the relevant substantial public condition under the Data Protection Act 2018 is monitoring equality of opportunity and treatment
Assessment data: your answers and the results of the assessment and data generated by the assessment system
The source of the assessment data is you and the automated testing system used by us or our assessment service providers. We may process this assessment data for the purposes of assessing your suitability for the job you have applied for
EY’s legitimate interests - assessing the suitability of applicants for jobs with us
N/A
Interview data: information about you recorded following an interview
The source of the interview data is you and the interviewers and/or assessors. This interview data may be processed for the purposes of assessing your suitability for the job you are applying for
Performance of a contract - assessing the suitability of applicants for jobs with us
EY’s legitimate interests - assessing the suitability of applicants for jobs with us
N/A
Reference data: relating to your education history, employment history, your character, and your performance at work
The source of the reference data is the referees that you specify in your application. This reference data may be processed for the purposes of considering your application
EY’s legitimate interests - assessing the suitability of applicants
N/A
Contact Data: information contained in or relating to any communication that you send to us or that we send to you in connection with your application
For the purposes of communicating with you, responding to your queries, providing you with assistance in relation to your application, administering your application and our own record-keeping
Performance of a contract - proper administration of our business, recruitment in connection with our business and communications with relevant persons
N/A
Use of personal data in connection with legal claims - personal data identified in this table
Where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure
EY’s legitimate interests - in the establishment, exercise, or defence of legal claims
To the extent criminal data is processed: processing is necessary in the field of employment law; processing is necessary for the purposes of preventing fraud and regulatory requirements relating to, amongst other things, unlawful acts and dishonesty
To the extent special categories of personal data are processed: processing is necessary in the field of employment, social security and social protection law; processing is necessary for the establishment, exercise or defence of legal claims
If your application is successful and you become an EY employee, we will provide a new privacy notice to you explaining our processing of employee personal data, which will supersede this notice.
3. Providing your personal data to others
EY Network: We may disclose the personal data described in section 2 to any relevant members of the global network of Ernst & Young firms if and insofar as this is reasonably necessary for the purposes set out in this notice.
Our insurers and professional advisers: We may disclose the personal data described in section 2 to our insurers and/or professional advisers if and insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.
Our suppliers and subcontractors: Some of the personal data described in section 2 may be shared with and/or processed and/or generated by our suppliers and subcontractors. Specifically, all personal data obtained through the online application system will be accessible to and processed by Amberjack Global Limited, which has developed and provided and hosts the online application system for the purposes of managing this recruitment round and carries out various recruitment and assessment activities on our behalf and on the basis of our instructions.
AmberTrack
AmberTrack is the system on which your information will be hosted on. This system hosts all student applicant information, including information from separate suppliers such as Cappfinity who provide the assessment which you may be required to undertake.
For clarity, AmberTrack is the name of the system on which your information will be processed. AmberTrack is created and owned by ‘Amberjack’.
Members of Amberjack’s staff (employees and contractors) will also access and process some of the personal data described in section 2 insofar as is reasonably necessary to carry out their allocated tasks in relation to this recruitment. Amberjack uses Microsoft Corporation, Amazon Web Services and Prodec Networks Ltd to host the online application system.Their processing is generally fully automated and does not involve individual staff accessing personal data, although this might happen in certain circumstances, such as when necessary to provide support services to Amberjack or when required by law to disclose certain information. Some of the personal data may also be shared with providers of online testing, such as Cappfinity, to be used as part of our assessment of applicants, insofar as is reasonably necessary to enable applicants to take the test and for the supplier to provide us with the results of the test.
For more information, please refer to the AmberTrack privacy notice on this page.
Cappfinity
Cappfinity Assessments (“Cappfinity”) is the platform on which any relevant assessments, prior to interview stage, will be conducted. The Tool assesses competencies and aptitude of candidates using a digital psychometric assessment based on game technology.
EY undertakes automated decision-making regarding applications based on the assessments from Cappfinity. For more information, please refer to the Cappfinity privacy notice on this page.
4. International transfers of your personal data
In this section 4, we provide information about the circumstances in which your personal data may be transferred to countries outside the UK and European Economic Area (EEA).
This involves transferring personal data in various jurisdictions (including jurisdictions outside the UK and European Union) in which EY operates (EY office locations are listed at www.ey.com/ourlocations). EY will process your personal data in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules (www.ey.com/bcr).
5. Retaining and deleting personal data
This section 5 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Successful applicants: data that you provide, or we otherwise obtain in connection with your application for a job, will be retained in line with our employee privacy notice, which will be provided to you along with your job offer.
- Unsuccessful applicants: data that you provide, or we otherwise obtain in connection with your application for a job, will be retained up to shortly after the end of EY’s current recruitment cycle (each cycle ends 30 September).
Notwithstanding the other provisions of this section 5, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, in order to protect your vital interests or the vital interests of another natural person, or for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. In these circumstances we will only retain personal data for as long as is necessary for the relevant purposes and in any event for no longer than 7 years.
6. Security of personal data
EY is committed to making sure your personal data is secure. To prevent unauthorized access or disclosure, EY has technical and organizational measures to safeguard and secure your personal data. All EY personnel and third parties EY engages to process your personal data are obliged to respect your data’s confidentiality.
You should ensure that your passwords used to access the online application system are not susceptible to being guessed, whether by a person or a computer program. You are responsible for keeping the passwords confidential and we will not ask you for your passwords (except when you log in to the online application system).
7. Your rights
In this section 7, we have summarised the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
Your principal rights under data protection law in respect of your personal data that we process are:
- Right of access. You have the right to obtain a copy of your personal data;
- Right to rectification. You have the right to have your personal data amended if it is inaccurate;
- Right to erasure. In certain circumstances, you have the right to require us to erase your personal data if the continued processing of that personal data is not justified;
- Right to restriction. In certain circumstances, you have the right to require us to limit the purposes for which we process your personal data if the continued processing of the personal data in this way is not justified, such as where the accuracy of the personal data is contested by you; and
- Right to portability: In certain circumstances, you have the right to receive a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format or to request the transfer of your personal data to another person.
You also have a right, in some circumstances, to object to any processing based on our legitimate interests. There may, however, be compelling reasons for continuing to process your personal data and we will assess and inform you if that is the case.
Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under the applicable law apply.
You may exercise any of your rights in relation to your personal data by emailing global.data.protection@ey.com.
8. Contact Us
If you have any questions or complaints about this Notice or how we use your personal data, please contact global.data.protection@ey.com.
You also have a right to lodge a complaint to the UK data protection authority. Please see www.ico.org.uk for further information on how to contact the Information Commissioner.
9. Updates to this Notice
We may update this notice at any time but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical. Further, see top of the notice for the date when this notice was last updated.
-
AmberTrack Privacy Notice
1. Introduction
This Privacy Notice is intended to describe the practices EY follows in relation to AmberTrack (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool. This Privacy Notice should be read together with the EY student applicant privacy notice and the Cappfinity Assessments privacy notice. Please read this Privacy Notice carefully.
2. Who manages the Tool?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can act as a data controller in its own right (i.e. act as a data controller or in a similar capacity). The entity that is acting as data controller (or similar capacity) by providing this Tool on which your personal data will be processed and stored is Ernst & Young LLP, 1 More London Place (‘EY’) (‘we’ or ‘us’). EY licenses the Tool from AmberJack Global Limited, Newbury House, 20 King Road, West Berkshire, RG14 5XR, United Kingdom.
The personal data in the Tool is shared by EY Services Limited with one or more member firms of EYG (see “Who can access your personal data” section below).
The Tool is hosted on servers in the UK.
3. Why do we need your personal data?
The Tool manages the student recruitment application process to EY.
Your personal data processed in the Tool is used to host all relevant information relating to your application with EY.
EY relies on the several basis to legitimise the processing of your personal data in the Tool, please see the table below for more information.
In line with the table below processing of your personal data is sometimes necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The specific legitimate interest(s) are listed in the table below.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on the below legitimate interest(s).
4. What type of personal data is processed in the Tool?
The Tool processes the personal data categories set out in the table below.
This data is sourced from you directly, and other third parties, such as Cappfinity. For further information regarding Cappfinity Assessments, which EY uses to make automated decisions, please see the appropriate privacy notice on this page and the EY student applicant privacy notice.
Personal data collected
Reason for processing
Lawful basis for the processing
Basis for processing special categories of personal data or data relating to criminal convictions and offences
Registration data: username, email address, and password
Creating a user account for you, enabling you to access your account once created, keeping your account secure and communicating with you in connection with your application
Performance of a contract - enabling applicants to submit, and us to receive and consider, applications for jobs with us
EY’s legitimate interest in processing and managing applications for roles at EY, including the screening and selection of candidates
N/A
Required verification data:
Passport number, passport expiry date, university Student ID number, and University or school admissions team contact namesThis information is required to verify your identity at point of offer to avoid against false or suspicious applications
EY’s legitimate interest in avoiding false, suspicious, or fraudulent activity within student applications to EY.
Username, email address, and Application data
Contacting you about subsequent job opportunities with us in the event that your application for this recruitment round is unsuccessful
EY’s legitimate interest in processing and managing applications for roles at EY, including the screening and selection of candidates
If you do not want us to use your username, email address, and Application Data in this way, you can request we stop at any time by sending us an email
N/A
Application data: contact details, educational and employment history, information about your skills, qualifications and experience and any other information we ask you to provide and/or which you choose to provide in your answers
For the purposes of considering your application for a job with us and communicating with you in connection with your application
Performance of a contract - assessing the suitability of applicants for jobs with us
EY’s legitimate interest in processing and managing applications for roles at EY, including the screening and selection of candidates
N/A
Equal opportunities data: Age, Gender, Race or ethnic origin, Religion or belief, Disability and Sexual Orientation
The processing of Age is mandatory. The remaining information is optional.
We may process equal opportunities data for the purposes of monitoring and promoting equal opportunities within our organisation, complying with our obligations under laws relating to equal opportunities in employment
EY’s legitimate interest in human resource administration and finance
Compliance with a legal obligation
Equal opportunities data (eg, information relating to race or ethnicity, religion, health, and sexual orientation): processing is necessary in the field of employment, social security and social protection law; processing is necessary for reasons of substantial public interest and the relevant substantial public condition under the Data Protection Act 2018 is monitoring equality of opportunity and treatment
Criminal convictions data: information relating to unspent criminal convictions or offences
We may process criminal convictions data for the purposes of considering your suitability for the job that you are applying for
Compliance with a legal obligation (basic criminal record checks are regulatory requirements for most roles).
EY’s legitimate interest in hiring, promoting or assigning people to engagements that are trustworthy and suited for the role
To the extent criminal data is processed: processing is necessary in the field of employment law; processing is necessary for the purposes of preventing fraud and regulatory requirements relating to, amongst other things, unlawful acts and dishonesty
Reasonable adjustments data: information related to whether you require any reasonable adjustments
We will not ask you for details of any relevant disability or health condition, but you may tell us if you consider that it is necessary for us to know this information
Performance of a contract - assessing the suitability of applicants for jobs with us.
Compliance with a legal obligation
Equal opportunities data (information relating to health): processing is necessary in the field of employment, social security and social protection law; processing is necessary for reasons of substantial public interest and the relevant substantial public condition under the Data Protection Act 2018 is monitoring equality of opportunity and treatment
Assessment data: your answers and the results of the assessment and data generated by the assessment system
The source of the assessment data is you and the automated testing system used by us or our assessment service providers. We may process this assessment data for the purposes of assessing your suitability for the job you have applied for. Assessment information is captured within a platform called Cappfinity Assessments. Please see their privacy policy on this page.
EY’s legitimate interests - assessing the suitability of applicants for jobs with us
N/A
Interview data: Information about you recorded following an interview
The source of the interview data is you and the interviewers and/or assessors. This interview data may be processed for the purposes of assessing your suitability for the job you are applying for
Performance of a contract - assessing the suitability of applicants for jobs with us
EY’s legitimate interests - assessing the suitability of applicants for jobs with us
N/A
Contact Data: information contained in or relating to any communication that you send to us or that we send to you in connection with your application
For the purposes of communicating with you, responding to your queries, providing you with assistance in relation to your application, administering your application and our own record-keeping
Performance of a contract - proper administration of our business, recruitment in connection with our business and communications with relevant persons
N/A
1. Sensitive Personal Data
Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.
The following sensitive personal data is collected and processed in the Tool should you wish to submit the below information:
- Racial or ethnic origin
- Sexual orientation
- Religion or belief
- Health (e.g. disabilities)
The provision of information relating to criminal convictions is mandatory for compliance with legal obligations – see above table for more information.
2. Who can access your information?
Your personal data is accessed in the Tool by the following persons/teams:
Role
Location
Purpose for which access is required
Level of access rights (e.g. read-only, edit, delete)
EY Recruiters
UK
Assess candidates and obtain information on the prioritisation/scoring of candidates and any potential follow ups.
Read, edit, delete
Access rights restricted by country.
IBM
Canada, China, Czech Republic, Hungary, India, Malaysia, Mexico, Oceania, Philippines, Poland, UK and US
Maintenance and Support
Multiple
The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at www.ey.com/ourlocations). EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules (www.ey.com/bcr).
We transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis, back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files. It is our policy to only use third-party service providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.
To the extent that personal data has been rendered anonymous in such a way that you or your device are no longer reasonably identifiable, such information will be treated as non-personal data and the terms of this Privacy Notice will not apply.
1. Data retention
Our policy is to retain personal data only for as long as it is needed for the purposes described in the section “Why do we need your personal data”. Retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements.
In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights and for archiving and historical purposes, we need to retain information for significant periods of time.
The policies and/or procedures for the retention of personal data in the Tool are that your data will be retained up to shortly after the end of EY’s current recruitment cycle (each cycle ends 30 September).
Your personal data will be retained in compliance with privacy laws and regulations.
After the end of the data retention period, your personal data will be deleted or anonymized in the Tool.
2. Security
EY is committed to making sure your personal data is secure.
To prevent unauthorized access or disclosure, EY has technical and organizational measures to safeguard and secure your personal data. All EY personnel and third parties EY engages to process your personal data are obliged to respect your data’s confidentiality.
3. Controlling your personal data
EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so.
You are legally entitled to request details of EY’s personal data about you.
To confirm whether your personal data is processed in the Tool or to access your personal data in the Tool, contact your usual EY representative or email your request to global.data.protection@ey.com.
4. Object, rectification, erasure, restriction of processing or data portability
You can confirm your personal data is accurate and current. You can request rectification, erasure, restriction of processing or a readily portable copy of your personal data by contacting your usual EY representative or by sending an e-mail to global.data.protection@ey.com
5. Complaints
If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Leader, Office of the General Counsel, 6 More London Place, London, SE1 2DA, United Kingdom or via email at global.data.protection@ey.com or via your usual EY representative. An EY Privacy Leader will investigate your complaint and provide information about how it will be handled and resolved.
If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country’s data protection authority. You can also refer the matter to a court of competent jurisdiction.
Certain EY member firms in countries outside the European Union (EU) have appointed a representative in the EU to act on their behalf if, and when, they undertake data processing activities to which the EU General Data Protection Regulation (GDPR) applies. Further information and the contact details of these representatives are available here.
6. Contact us
If you have additional questions or concerns, contact your usual EY representative or email global.data.protection@ey.com.
-
Cappfinity Privacy Notice
1. Introduction
This Privacy Notice is intended to describe the practices EY follows in relation to Cappfinity Assessments (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool. This Privacy Notice should be read together with the EY student applicant privacy notice and the AmberTrack privacy notice. Please read this Privacy Notice carefully.
2. Who manages the Tool?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can act as a data controller in its own right. The entity that is acting as data controller by providing this Tool on which your personal data will be processed and stored is Ernst & Young LLP, 1 More London Place (‘EY’) (‘we’ or ‘us’). EY Global Services Limited licenses the Tool from an external vendor, Capp & Co Limited (“Capp”) (2230-2235 Regents Court, The Crescent, Birmingham Business Park, B37 7YE).
The personal data in the Tool is shared by EY Global Services Limited with one or more member firms of EYG (see “Who can access your information” section below).
The Tool is hosted on servers externally by the vendor or its third-party hosting provider in the Rackspace data centre in Greater London, UK.
3. Why do we need your personal data?
Your personal data is required so you may undertake the relevant required assessments to proceed your application with us. The Tool assesses competencies and aptitude of candidates using a digital psychometric assessment based on game technology.
Your personal data processed in the Tool is used as follows:
Candidate response data is processed in the Tool using an algorithm. The resulting analysis is used with candidate identifiers in order to determine progression through the recruitment process. Progression is based entirely on assessment scores and not on demographic data. The assessment algorithm produces a score, from which EY undertakes automated decision-making.
Automated decision-making is when an electronic system (e.g., the Tool) uses personal data to make a decision without any human influence on the outcome. This means that, during the assessment, if you fail to meet the pass score, your application will be automatically rejected by EY without a human review. EY is allowed to use automated decision-making where it is necessary for performance of a contract with you and where appropriate measures are in place to safeguard your rights.
If you do not agree with the automated decision-making and would like to invoke your right to a review, you may appeal by contacting us at the email address in Section 12.
EY relies on the following basis to legitimise the processing of your personal data in the Tool:
Processing of your personal data is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The specific legitimate interests are processing and managing applications for roles at EY and assessing the suitability of applicants for jobs with us.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on the above legitimate interest(s).
In order to proceed with student applications, you will be required to undertake the assessment on the Tool. This assessment procedures a score, which EY uses for automated decision-making against set criteria to determine a pass or fail mark. EY relies on performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract.
Any results from the assessment will be transferred to AmberTrack as part of your application. To understand more about AmberTrack, please see the appropriate privacy notice on this page and the EY student applicant privacy notice.
4. What type of personal data is processed in the Tool?
The Tool processes the personal data categories listed below, along with the source of the data.
Personal data categories
Sourced from
EY Recruiters
Full name
Email address
Audit logs relating to user login
A feed from other EY Systems (SuccessFactors)
Candidates
Full name
Email address
Assessment data
Audit logs relating to user login
Candidate ID number
Video from the online assessment 'EYOne'
A feed from AmberTrack
Provided directly by Candidates
1. Sensitive Personal Data
Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.
EY does not intentionally collect any sensitive personal data from you via Cappfinity Assessments. There is no intention to process such information on this Tool. Please note that AmberTrack may process sensitive personal data, if you have provided it in that tool.
2. Who can access your information?
Your personal data is accessed in the Tool by the following persons/teams:
Role
Location
Purpose for which access is required
Level of access rights (e.g. read-only, edit, delete)
EY Recruiters
Global (depending on where it is deployed)
Assess candidates and obtain information on the prioritisation/scoring of candidates and any potential follow ups.
Read, edit, delete
Access rights restricted by country.
EY Local Recruitment Leadership
Global (depending on where it is deployed)
Assess candidates and obtain information on the prioritisation/scoring of candidates and any potential follow ups
Update profiles and access rights of EY Recruiters
Update local country instance of the Tool as needed
Read, edit, delete and administrative rights
Candidates
Global (depending on where it is deployed)
View assessment results
Read-only
Capp users
UK
Maintenance and support
Read, write, edit, delete. Access to global data from UK location.
Tata Consultancy Services (TCS)
India and Mexico
Maintenance and support
Read, write, edit, delete. Access to global data from India and Mexico location.
IBM
Canada, China, Czech Republic, Hungary, India, Malaysia, Mexico, Oceania, Philippines, Poland, UK and US
Maintenance and Support
Multiple
The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at www.ey.com/ourlocations). EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules.
We transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis, back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files. It is our policy to only use third-party service providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.
To the extent that personal data has been rendered anonymous in such a way that you or your device are no longer reasonably identifiable, such information will be treated as non-personal data and the terms of this Privacy Notice will not apply.
1. Data retention
Our policy is to retain personal data only for as long as it is needed for the purposes described in the section “Why do we need your personal data”. Retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements.
In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights and for archiving and historical purposes, we need to retain information for significant periods of time.
The policies and/or procedures for the retention of personal data in the Tool are:
- successful applicants: your data will be retained up to shortly after the end of the September from when you take up your place as an EY employee (this is to ensure the overall integrity of the student application process and avoid you having to repeat the assessment if taken as an internship application or should you defer your joining EY)
- unsuccessful applicant: your data will be retained up to 12 months after taking the assessment (this is to ensure the overall integrity of the student application process).
Your personal data will be retained in compliance with privacy laws and regulations.
After the end of the data retention period, your personal data will be deleted or anonymized in the Tool.
2. Security
EY is committed to making sure your personal data is secure. To prevent unauthorized access or disclosure, EY has technical and organizational measures to safeguard and secure your personal data. All EY personnel and third parties EY engages to process your personal data are obliged to respect your data’s confidentiality.
3. Controlling your personal data
EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so.
You are legally entitled to request details of EY’s personal data about you.
To confirm whether your personal data is processed in the Tool or to access your personal data in the Tool, contact your usual EY representative or email your request to global.data.protection@ey.com.
4. Object, rectification, erasure, restriction of processing or data portability
You can confirm your personal data is accurate and current. You can request rectification, erasure, restriction of processing or a readily portable copy of your personal data by contacting your usual EY representative or by sending an e-mail to global.data.protection@ey.com.
5. Complaints
If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Leader, Office of the General Counsel, 6 More London Place, London, SE1 2DA, United Kingdom or via email at global.data.protection@ey.com or via your usual EY representative. An EY Privacy Leader will investigate your complaint and provide information about how it will be handled and resolved.
If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country’s data protection authority. You can also refer the matter to a court of competent jurisdiction.
Certain EY member firms in countries outside the European Union (EU) have appointed a representative in the EU to act on their behalf if, and when, they undertake data processing activities to which the EU General Data Protection Regulation (GDPR) applies. Further information and the contact details of these representatives are available here.
6. Contact us
If you have additional questions or concerns, contact your usual EY representative or email global.data.protection@ey.com.
You are visiting EY UK (EN)
